We currently have no way to verify the identity of an http request made by a client.
A system that allows 3rd party HTTP servers to know if an HTTP request was made by a genuine player would be great.
Use case
For Tone API, this would allow players to authenticate with our backend.
This would mean we can create per-player settings on the backend, and allow players to edit them using a client mod.
We would also be able to let users link their UID with Discord (using a client mod and a discord bot for example)
Linking UIDs with Discord users would mean being able to login through our website (using Oauth2) and change settings.
It would also facilitate fetching one user's stats from the discord bot, or even change settings through the bot.
Proposal
I'd suggest to use a token-based authentication system
client logins to masterserver, mastserver gives a token to the client
client sends an HTTP request containing the token to a 3rd party HTTP server
3rd party server checks authenticity of token with masterserver using an HTTP request
Each third-party server should have a unique token if we do this.
Would probably use a short-lived JWT as the third-party token to reduce load on Atlas.
For linking the UID, we can (and should) add a built-in button to the lobby which opens an Atlas account page in a browser. That link would be populated during origin auth.
Statement of the issue
We currently have no way to verify the identity of an http request made by a client. A system that allows 3rd party HTTP servers to know if an HTTP request was made by a genuine player would be great.
Use case
For Tone API, this would allow players to authenticate with our backend. This would mean we can create per-player settings on the backend, and allow players to edit them using a client mod.
We would also be able to let users link their UID with Discord (using a client mod and a discord bot for example) Linking UIDs with Discord users would mean being able to login through our website (using Oauth2) and change settings. It would also facilitate fetching one user's stats from the discord bot, or even change settings through the bot.
Proposal
I'd suggest to use a token-based authentication system
Informations the masterserver could return :